random drv, sys and nls after braviax

Discussion in 'Malware Help (A Specialist Will Reply)' started by macmac_101, Mar 12, 2008.

  1. macmac_101

    macmac_101 Private E-2

    Hello,

    I am new to the forum and I have searched extensivly for this but cannot find any resource to indicate where the problem is.

    After removing braviax and all its friends that came along for the ride, my computer is running better than ever, however, when I was troubleshooting the issue, there were always 3 temp files with random names ( somehting like fphttppp.sys or .drv or .dll) in the account folder ( doc and settings\user_account\local_settings\temp) and always.. at least one... returns in the registry : HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENT_USER\Run | fphttppp

    I have run ALL the programs that have been indicated in ANY braviax thread to clean and all return no issues, HJT logs show the problem, but will only post upon request.

    Ever heard of this....anyone....
     
    macmac_101, Mar 12, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Mar 13, 2008
    #2
  3. macmac_101

    macmac_101 Private E-2

    Ok, I have run through the "readme first" stuff and currently both combofix and analyse both show the temp files registered under the HKLM area.

    I have run cclean, combofix, spybotS&D, avenger and all appear clean, you would think I have nothing to worry about, but there are these .DRV and .SYS files as well as a .NLS / .DLL files in the local accounts temp folder, they are all the same file size (111kb) and the .DLL is usually added to the RUN of HKLM.

    I know that usually the temp folder is full of .TMP files and that most temp files DO NOT register themselves into the registry, especially RUN. Iknow there is more here, but I cannot find the service or program controlling the add of the registrty key or the strange temp files.

    POSTING MY MGLOGS.ZIP (NOTE: 015 and 017 were deleted from the HJT log for security purposes as well, other logs have computer info removed for security purposes.)

    View attachment MGlogs.zip

    View attachment ComboFix.txt
     
    macmac_101, Mar 13, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    All steps in the READ ME need to be completed in the order given. You did not run the first tool we asked you to run which was SUPERAntispyware. Please run it and attach the requested log.

    If you deleted any info I need to give you a proper fix, then obviously a fix I give you is not going to work.

    Nothing belongs on the Trusted Zone anyway. I have more than 50 PCs that I use and have never required anything to be in the TZ. I'm not saying it is impossible that you need it, but it is improbable that it is really necessary.

    You appear to be missing files for some necessary Windows Services. This can be seen in your HijackThis log:
    O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
    O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)


    Are the below things you download and put here?
    Code:
    2008-03-12 07:38 . 2008-03-12 07:38 19,286 --a------ C:\cleanup.exe
2008-03-12 07:38 . 2008-03-12 07:38 574 --a------ C:\cleanup.bat
    Uninstall Anti Virus Pro spyware remover which is a rogue/fake antivirus program.

    You should block the below from having access thru your firewall.
    C:\WINDOWS\system32\winav.exe

    Something changed your C:\WINDOWS\system32\svchost.exe file on March 10th. You should scan this file to make sure it is not infected. You can scan it here: http://virusscan.jotti.org/

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [ndtltdhp] rundll32.exe "C:\DOCUME~1\ncrhelp\LOCALS~1\Temp\npjhlndrnjf.nls" WLEntryPoint
    O4 - HKLM\..\Policies\Explorer\Run: [hhbddd] rundll32.exe "C:\WINDOWS\system32\thhhlpdpjd.sys" WLEntryPoint
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O21 - SSODL: guBVucyMy - {70B713A9-DA1D-B903-9A5B-72A281F18CA6} - C:\WINDOWS\system32\dvgg.dll

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 13, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds